CVE-2026-23630

Name of the Vulnerable Software and Affected Versions Docmost versions 0.3.0 through 0.23.2

Description Docmost is collaborative wiki and documentation software. Versions 0.3.0 through 0.23.2 are susceptible to stored Cross-Site Scripting (XSS) due to improper sanitization when rendering Mermaid code blocks. The mermaid.render() function is used to render diagrams, and the resulting SVG/HTML is injected into the Document Object Model (DOM) using dangerouslySetInnerHTML without appropriate sanitization. Mermaid’s %%{init}%% directives can override security settings and enable HTML labels, allowing arbitrary HTML and JavaScript execution for anyone viewing the diagrams.

Recommendations Update to version 0.24.0 or later.